Uploaded image for project: 'Xporter for Jira'
  1. Xporter for Jira
  2. XPORTER-2959

RCE vulnerability at Scheduled Report

    XporterXMLWordPrintable

Details

    • OK

    Description

      A Jira Project Manager can exploit Xporter Scheduled Report by Server-Side Injection - Remote Code Execution. An attacker could create a template with malicious code and change the output file extension before creating the Scheduled Report.

      Attachments

        1. upload_webshell.mp4
          42.81 MB
        2. hello.txt
          0.0 kB

        Issue Links

          Activity

            People

              rmbr Rui Rodrigues
              rmbr Rui Rodrigues
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 1 hour, 30 minutes
                  1d 1h 30m